SUSE SLES15: apache2-mod_wsgi / billing-data-service / inter-server-sync / etc (SUSE-SU-2023:4737-1)

critical Nessus Plugin ID 187009

Language:

Synopsis

The remote SUSE host is missing a security update.

Description

The remote SUSE Linux SLES15 host has packages installed that are affected by a vulnerability as referenced in the SUSE- SU-2023:4737-1 advisory.

billing-data-service:

- Version 4.3.2-1
* Relax dependency to csp-billing-adapter-service

inter-server-sync:

- Version 0.3.1
* Require at least Go 1.20 for building SUSE packages

spacecmd:

- Version 4.3.25-1
* Update translation strings

spacewalk-backend:

- Version 4.3.25-1
* Use the new apache2-mod_wsgi package name
* Set stricter file permissions for config file
* Add table statistics and options to the support config database output
* Add CLM data collection to spacewalk-debug

spacewalk-client-tools:

- Version 4.3.17-1
* Update translation strings

spacewalk-java:

- Version 4.3.69-1

* Security fixes:
* CVE-2023-22644: Sanitize token before logging it (bsc#1210930)
* CVE-2023-22644: Fix permissions for logfiles (bsc#1210928)
* CVE-2023-22644: Log potential sensitive information only in debug mode (bsc#1210928)
* Non security fixes:
* Include in API response reboot_suggested and restart_suggested booleans
* Fix filter ID comparison when attaching filters to a CLM project (bsc#1215949)
* Fix validation of lists with empty defaults in formulas (bsc#1216555)
* Safeguard request URLs against tempering (bsc#1216754)
* Improve logging to better capture third-party library issues
* Fix issue of non-installed package listed as errata package update candidates (bsc#1212904)
* Fix issue with reporting database query pagination
* Update tomcat jars to version greater than 9.0.75
* Fix notification messages email content (bsc#1216041)
* Look for the PAYG CA certificate location in different order to find and import the correct one (bsc#1214759)
* Add salt-api socket timeout to abort stuck taskomatic jobs (bsc#1211649)
* Fix SUSE Linux Enterprise Micro PAYG detection
* Wait for lock to execute SCC sync task (bsc#1216030)
* Fix url pointing to SCC (bsc#1216690)
* Prevent download when a PAYG Server is not compliant
* Fix system.provisionSystem xmlrpc endpoint to calculate host properly (bsc#1215209)
* Include 'uuid' as system search xmlrpc results (bsc#1216380)
* Prevent losing Remote Command action result if returned JSON cannot be parsed
* Add PAYG info to UI and rest API
* Add management restrictions to SUMA PAYG when dealing with BYOS instances when no SCC credentials are set
* Fix issue where bad SCC credentials were preventing other credentials to refresh (bsc#1211355)
* Fix conversion to string if branchid is numeric in PXEEvent
* Fix token validation for shared (public) child channels (bsc#1216128)
* Prevent NullPointerException in updateSystemInfo (bsc#1217224)
* Update SCC REST call to register systems in bulk
* Enhance hardware data sent to SCC by memory
* Fix FQDN machine name mapping on proxy configuration
* Fix NullPointerException when creating PXE config for an unmanaged profile (bsc#1217223)
* Add option to filter packages by build time in CLM (jsc#SUMA-282)
* Consider server id when removing invalid erratas from rhnSet (bsc#1204235,bsc#1207012,bsc#1211560)
* Fix createSystemRecord XML-RPC API call so the Cobbler UID is persisted (bsc#1207532)

spacewalk-search:

- Version 4.3.10-1
* Include 'uuid' as system search result attribute (bsc#1216380)

spacewalk-web:

- Version 4.3.36-1
* Safeguard request URLs against tempering (bsc#1216754)
* Improve datetimepicker input formatting
* Improve logging to better capture third-party library issues
* Simplify and modernize password generation logic
* Update webpack to 5.88.2
* Handle new message from subscription-matcher (bsc#1216506)
* Add sanity checks for FQDNs in proxy configuration dialog
* Add option to filter packages by build time in CLM (jsc#SUMA-282)

subscription-matcher:

- Version 0.33
* Added missing part numbers (bsc#1216506)
* Ignore subscriptions without any associated products (bsc#1216506)
* Update Guava to version 32.0

susemanager:

- Version 4.3.33-1
* Add bootstrap repository data for SUSE Linux Enterprise Micro 5.5 (bsc#1217038)

susemanager-docs_en:

- Add SUSE Liberty Linux versions 7 and 8 to the supported features matrix in the Client Configuration Guide
- Add support for SUSE Linux Enterprise Micro 5.5 and openSUSE Leap Micro 5.5 clients to the Installation and Upgrade Guide, and to the Client Configuration Guide
- Update Twitter handle reference in documentation user interface
- Update feature table and add legend in the Configuration Management section of the Client Configuration Guide
- Fix parameter name in the Register clients section of the Client Configuration Guide
- Fix links to HTML output of SUSE Linux Enterprise Server 15 SP4 documentation
- Add note about using short hostname in the Quick Start: SAP guide (bsc#1212695)
- Mention the option to install Prometheus on Retail branch servers (bsc#1191143)
- Fix link loop and clarify some server upgrade description details in the Installation and Upgrade Guide (bsc#1214471)
- SUSE Manager 4.3 is based on SUSE Linux Enterprise 15 SP4; update the installation procedure (bsc#1213469)

susemanager-schema:

- Version 4.3.22-1
* Drop special versioned schema files
* Add unique index for rhnpackagechangelogdata table

susemanager-sls:

- Version 4.3.37-1
* Disable dnf_rhui_plugin as it breaks our susemanagerplugin (bsc#1214601)
* Fix susemanagerplugin to not overwrite header fields set by other plugins
* Let the DNF plugin log when a token was set
* Retry loading of pillars from DB on connection error (bsc#1214186)
* Recognize squashfs build results from KIWI (bsc#1216085)

susemanager-sync-data:

- Version 4.3.14-1
* SUSE Linux Enterprise 15 SP4 Long Term Service Pack Support (LTSS)
* Extended Service Pack Overlay Support (ESPOS) for High Performance Computing 15 SP5
* Long Term Service Pack Support (LTSS) for High Performance Computing 15 SP5
* Update Open Enterprise Server to 2023.4 (bsc#1215514)

uyuni-reportdb-schema:

- Version 4.3.8-1
* Provide reportdb upgrade schema path structure

How to apply this update:

1. Log in as root user to the SUSE Manager Server.
2. Stop the Spacewalk service:
`spacewalk-service stop` 3. Apply the patch using either zypper patch or YaST Online Update.
4. Start the Spacewalk service:
`spacewalk-service start`

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://bugzilla.suse.com/1191143

https://bugzilla.suse.com/1204235

https://bugzilla.suse.com/1207012

https://bugzilla.suse.com/1207532

https://bugzilla.suse.com/1210928

https://bugzilla.suse.com/1210930

https://bugzilla.suse.com/1211355

https://bugzilla.suse.com/1211560

https://bugzilla.suse.com/1211649

https://bugzilla.suse.com/1212695

https://bugzilla.suse.com/1212904

https://bugzilla.suse.com/1213469

https://bugzilla.suse.com/1214186

https://bugzilla.suse.com/1214471

https://bugzilla.suse.com/1214601

https://bugzilla.suse.com/1214759

https://bugzilla.suse.com/1215209

https://bugzilla.suse.com/1215514

https://bugzilla.suse.com/1215949

https://bugzilla.suse.com/1216030

https://bugzilla.suse.com/1216041

https://bugzilla.suse.com/1216085

https://bugzilla.suse.com/1216128

https://bugzilla.suse.com/1216380

https://bugzilla.suse.com/1216506

https://bugzilla.suse.com/1216555

https://bugzilla.suse.com/1216690

https://bugzilla.suse.com/1216754

https://bugzilla.suse.com/1217038

https://bugzilla.suse.com/1217223

https://bugzilla.suse.com/1217224

https://www.suse.com/security/cve/CVE-2023-22644

http://www.nessus.org/u?4ab31a00

Plugin Details

Severity: Critical

ID: 187009

File Name: suse_SU-2023-4737-1.nasl

Version: 1.1

Type: Local

Agent: unix

Published: 12/15/2023

Updated: 6/25/2026

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Continuous Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5

Percentile: 95.09

CVSS v2

Risk Factor: Medium

Base Score: 4.6

Temporal Score: 3.4

Vector: CVSS2#AV:L/AC:L/Au:S/C:C/I:N/A:N

CVSS Score Source: CVE-2023-22644

CVSS v3

Risk Factor: Medium

Base Score: 5.5

Temporal Score: 4.8

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: Critical

Base Score: 9.4

Threat Score: 7.7

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Vulnerability Information

CPE: p-cpe:/a:novell:suse_linux:susemanager-sls, p-cpe:/a:novell:suse_linux:spacewalk-base-minimal-config, p-cpe:/a:novell:suse_linux:subscription-matcher, p-cpe:/a:novell:suse_linux:spacewalk-base-minimal, p-cpe:/a:novell:suse_linux:spacewalk-backend-iss-export, p-cpe:/a:novell:suse_linux:spacewalk-java-postgresql, p-cpe:/a:novell:suse_linux:susemanager-schema-utility, p-cpe:/a:novell:suse_linux:python3-spacewalk-client-tools, p-cpe:/a:novell:suse_linux:billing-data-service, p-cpe:/a:novell:suse_linux:spacewalk-html, p-cpe:/a:novell:suse_linux:spacewalk-java-config, p-cpe:/a:novell:suse_linux:spacecmd, p-cpe:/a:novell:suse_linux:spacewalk-backend-app, p-cpe:/a:novell:suse_linux:inter-server-sync, p-cpe:/a:novell:suse_linux:susemanager-schema, p-cpe:/a:novell:suse_linux:spacewalk-backend-tools, p-cpe:/a:novell:suse_linux:susemanager-docs_en, p-cpe:/a:novell:suse_linux:spacewalk-backend-config-files, p-cpe:/a:novell:suse_linux:spacewalk-backend-xml-export-libs, p-cpe:/a:novell:suse_linux:spacewalk-base, p-cpe:/a:novell:suse_linux:susemanager-tools, p-cpe:/a:novell:suse_linux:spacewalk-backend-iss, p-cpe:/a:novell:suse_linux:spacewalk-backend-applet, p-cpe:/a:novell:suse_linux:spacewalk-backend-server, p-cpe:/a:novell:suse_linux:susemanager-docs_en-pdf, p-cpe:/a:novell:suse_linux:spacewalk-search, p-cpe:/a:novell:suse_linux:apache2-mod_wsgi, cpe:/o:novell:suse_linux:15, p-cpe:/a:novell:suse_linux:uyuni-config-modules, p-cpe:/a:novell:suse_linux:spacewalk-backend-xmlrpc, p-cpe:/a:novell:suse_linux:spacewalk-taskomatic, p-cpe:/a:novell:suse_linux:spacewalk-backend, p-cpe:/a:novell:suse_linux:spacewalk-backend-config-files-common, p-cpe:/a:novell:suse_linux:spacewalk-client-tools, p-cpe:/a:novell:suse_linux:spacewalk-java, p-cpe:/a:novell:suse_linux:susemanager-sync-data, p-cpe:/a:novell:suse_linux:spacewalk-backend-config-files-tool, p-cpe:/a:novell:suse_linux:uyuni-reportdb-schema, p-cpe:/a:novell:suse_linux:spacewalk-backend-sql, p-cpe:/a:novell:suse_linux:spacewalk-java-lib, p-cpe:/a:novell:suse_linux:susemanager, p-cpe:/a:novell:suse_linux:spacewalk-backend-package-push-server, p-cpe:/a:novell:suse_linux:spacewalk-backend-sql-postgresql

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 12/13/2023

Vulnerability Publication Date: 9/20/2023

Reference Information

CVE: CVE-2023-22644

SuSE: SUSE-SU-2023:4737-1